Hi,
you are right... more details ...
I must also specify that apache in SSL (https) is working fine with these certificates ...I do not say this is an apache problem, but more on the ldap module and certainly on the libraries under ...
A) Apache
Syntax inside Apache :
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_DER /etc/apache2/ssl.apa/Comodo_Apache.cer In this case, this is the certificate (Since i am autehnticating against Novell edirectory, sometimes it requests the server certicate itself as the CA). But i also used the CA cert from Comodo and it's the same.
Error in apache log is only (and my server is available, of course):
[Fri Nov 13 07:37:53 2009] [warn] [client 192.168.10.171] [21099] auth_ldap authenticate: user fpe authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
B) Tests with OpenLdap
ldap.conf is :
TLS_KEY /etc/openldap/certs/server.key
TLS_CACERT /etc/openldap/certs/cacert.txt TLS_CERT /etc/openldap/certs/server.cer TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2 TLS_REQCERT never Testing with :
ldapsearch -H ldaps://myserver -D cn=binduser,ou=myou,o=idsa -W -x "(cn=thisobject)" Doesn't work. Only by putting TLS_REQCERT never in ldap.conf i can use LDAPs (but without any cert validation in this case ... bad ;-()
hope this help. thx
>>> Emmanuel Bailleul <Emmanuel.Bailleul@xxxxxxxxxxx> 13.11.2009 08:40 >>> >De : Francois Pernet [mailto:Francois.Pernet@xxxxxxx] >Envoyé : vendredi 13 novembre 2009 07:00 >À : users@xxxxxxxxxxxxxxxx >Objet : mod_authnz_ldap with wildcard certificate > >Hi all, > >Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP authentication >in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails ... > >I verified that certificate contains : >Subject : ....*.domain.com >X509v3 Subject Alternative Name: > DNS:*.domain.com, DNS:domain.com >Is there any known issue with wildcard certificates ? >How proper should be the syntax in order to use it ? > >Thx in advance Hi, How can you be sure this is an Apache problem ? Did you try first "by hand" to perform for example an ldapsearch test ? And would you show us snippets of your conf file(s) and especially of the Apache logs when it fails ? Regards. Emmanuel --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx |